Designing a communication that will not be mistaken as a Phishing message

Putting together a survey invite, newsletter or other communication for the UBC community that does not confuse faculty and staff can be difficult, especially when UBC Cybersecurity is spending time training employees on what to report. However, there are some common items that faculty & staff typically look for in ascertaining whether a message is trustworthy or not. When taken into consideration while developing communications and survey invites, the following checklist can be used as a guide to increase the success rate of recipients accepting communications as legitimate:

Sender address

Where is the communication being sent from?

• The communication should be distributed from an @ubc.ca email address and should be recognizable as authoritative for the target audience.
• A [CAUTION: Non-UBC Email] warning tag will be added to the top of external email messages to remind recipients to verify the authenticity of the email before clicking on any hyperlinks, opening any attachments, forwarding or responding. The tag is not an indicator that an email is phishing, fraudulent or spam.
  • UBC communicators that utilize third party email sending services can request that the External Email Security Warning Tag not be applied to their legitimate notifications.
  • It is important to note that exemptions will not be provided for entire services or systems. Instead, exemptions are based on the service’s IP address(es), combined with the sending email address(es) used by the service for incoming email to UBC. To exempt a service, we require a complete list of the email addresses that the service uses to send emails to UBC mailboxes on behalf of the UBC unit.

Branding

Does the communication use UBC Common Look and Feel (CLF)?

• Banners and formatting using UBC branding can increase the legitimacy of your communication.

Salutations

Is the communication being sent to a named person?

• Wherever possible your communication should be sent to a named individual to personalize the message and increase legitimacy.

Use of Links

Is it necessary to include a link in your communication?

• Does your communication instruct recipients to visit a commonly used website or login to an application they are familiar with to discover more detail about the subject of your communication?
• Is it possible to provide instructions about where to find the information instead of including a hyperlink?
  • “Please log into [ ] and review your notifications.”
  • “Visit [title of website] for more information.”

Is it necessary to include a URL in your communication?

• If the inclusion of a URL is necessary, in an effort to discourage users from instinctively clicking on links in emails, we encourage staff and faculty to break the URLs in their emails by using hxxp in the prefix instead of http.
  • When sending mass internal communications, we recommend including the brief disclaimer: “Think before you click - copy and paste the URL into your browser and replace hxxps with https.”
• When composing or receiving an email, email software will not automatically turn hxxp URLs into clickable links. 
• Defanging a URL ensures that users must make a deliberate decision to visit the intended destination by copying and pasting the URL into their browser address bar.

Do the links provided go to a URL domain that the recipient is expecting?

• Ensure there are no link/URL mismatches; these can be caused by trackers. Employees are trained to hover over a link and see if it matches what they expect. Triple-check all links before sending the survey invite.

Avoid Fear, Uncertainty and Doubt

Does the email contain a message which is creating fear, uncertainty, and/or doubt?

• Do not include a sense of urgency or a fear of something bad happening, like the loss of access to a service or a benefit.

Signatures

Is the message signed by someone of authority?

• Communications should be sent by someone of authority, such that if the recipient has a question or concern they know who to connect directly with.
• In cases where it is not appropriate to provide a signatory, such as an initiative or program, include the name of the program along with a general email address that is regularly monitored.

Crafting a survey

• When designing your survey, you should only request the minimum amount of information required from respondents to provide statistically meaningful data.
• You should only request personal information from respondents where it is required to provide validity and/or to strengthen the analysis and results of the survey data.
• You should never request passwords or passcodes from respondents.

Further Resources

• Some published information about phishing that recipients use as their benchmark when evaluating emails:
  • How to spot "fishy" emails in your inbox
  • How to recognize targeted spear phishing emails
  • Self-phishing training
• How to develop, design and work with Qualtrics Surveys
• UBC branding materials